Nokia PC Suite dat/db etc files
Has anyone dealt with the PC suite files left in a users Application Data folder before? (within the relevant IMEI named folders)
I have various files of note, most of the dat's are reasonably readable, and the .db is browsable using an sqlite browser. However for some reason the message portion viewable as text within the .db doesnt appear to be viewable from any of the fields in the SQlite browser.
Are there any good viewers or parsers for these files? (the .db's particularly)
If you can see the text of the messages in the sqlite db (i.e. using strings) but not in SQLite browser (or other such tools), then the records are likely deleted. We use hex editors (xxd) and some custom programs which "carve" out the data structures from the db and recover more than just the text portions. If you'd like me to look at it, just send me a PM or email via my website…
Heh, I can view the raw hex and manipulate/export that as necessary. I'm just after something which can properly interpret the file. Whether that be a parser (ideally), or the format/structure of the file if not (even if that just confirms its definitely deleted records - rather than a format that isn't purely viewable using an sqlite browser)
(don't really have the time to spend days working this out as its just one of many items of info)
As always this is a live case so can't send anything wink
Understood, you are already using programs that properly interpret SQLite (i.e. SQLite Browser, sqlite, some perl libraries, etc.).
If the records are deleted (added to sqlite's internal "free-list"), I am not aware of any public programs to parse. Hex editor is a good route…after doing it many time, we just wrote some custom apps to automate the process. Good luck with the case.
Thinking out loud, is it possible to modify a bit or flag in a hex editor to change these records that are now in the free-list back to live records, with a view to looking at them an sqlite browser afterwards?
Edit Hmm and looking at them more, it definitely appears that all of the other info relating to the message is present in the SQLite browser (ie sender, date time etc), with the exception of the message blob which seems to only contain 1 char, so i'm still wondering whether they are in fact just not viewing correctly, as opposed to deleted.
Edit2 Appears like its browsing oddly for some reason, looking further, the sms_data blob value just appears to be displaying the first character of the blob for some reason. Why i haven't worked out yet P
Edit3 I'm wondering if that's because the blob is in Unicode, and that the standard sqlite browser(s) can't handle unicode blobs?
Appears its definitely related to the unicode stuff, its hitting the hex 00 and terminating the field/display of the field there. If I modify the field in a hex editor to ascii i can now see the messages displayed correctly.
(although there do appear to be a few deleted records also)
Still could do with a proper viewer for these, rather than manually editing the message entry to non unicode to display.
Guess i need to brush up on SQLite, to work out a query to output all the table info including the unicode blob data